#6520 closed enhancement (fixed)
Form-based authentication support
| Reported by: | anonymous | Owned by: | roadrunner |
|---|---|---|---|
| Priority: | normal | Component: | HudsonTracPlugin |
| Severity: | normal | Keywords: | |
| Cc: | mariuszs, hetslov@…, chris@… | Trac Release: | 0.11 |
Description
Hi roadrunner,
first thanks for the plugin! I just secured hudson and now i am getting a 403 error when i want to see the Timeline (Hudson Builds event provider (HudsonTracPlugin) failed ... HTTPError: HTTP Error 403: Forbidden. This most likely means you configured a wrong job_url.)
Configuration:
- hudson with ldap login, running on tomcat (windows). manual login works fine.
- trac on ubuntu. connection with unsecured hudson works fine.
-> username/password is correct, i double-checked it. I also tried the no_chal patch wihtout success. Any ideas what i may try/check?
Thanks!
Attachments (0)
Change History (15)
comment:1 Changed 14 years ago by
comment:2 Changed 14 years ago by
Thanks for the quick reply!
I tried to put the URL directly into the adress-bar of my browser: It loaded the authetication-site from hudson and after providing my credetials it showed the xml. All good here.
Next thing I tried is to provide a false username/password in my trac.ini -> Still a 403 error! no 401 at all...
You are right, I am using matrix configuration (project-based). But I granted all rights to the user I want to use for trac integration, so that sould not be the problem.
Any more ideas what i could try or debug?
thanks for any help!
comment:3 Changed 14 years ago by
I have this same problem. Project based matrix configuration, LDAP auths and all roles asigned to trac user. I can open list of builds by hands.
HTTP Error 403: Forbidden
comment:4 Changed 14 years ago by
| Cc: | mariuszs added; anonymous removed |
|---|
comment:5 Changed 14 years ago by
I need a some more details (sorry, don't have time to set up a site to test this right now): what do you mean "it loaded the authentication-site"? Does it show you a page with a form to enter username and password, or does it pop up the browser's username/password dialog? If the former, then that's the issue: this plugin only supports http authentication, not form-based authentication.
comment:6 Changed 14 years ago by
I think "it loaded the authentication-site" is about hudson form login when build list was accessed by hand.
Two diffrent users report this problem.
comment:7 Changed 14 years ago by
"this plugin only supports http authentication, not form-based authentication." Hmm, I think form based authentication in hudson is more common and easy to set up than http authentication. Please add this info to plugin homepage, because this plugin is useless now for most of users.
comment:8 Changed 14 years ago by
More, switching from form based login to http authentication is not possible. With form based authentication, project based matrix security setup and LDAP configuration Hudson can read user roles from LDAP and assingn permission to jobs. This cant be done with http authentication.
comment:9 Changed 14 years ago by
comment:10 follow-up: 11 Changed 14 years ago by
Hi,
thanks for the replies, i am the anonymous who started this topic ;-)
As mariuszs said when you use ldap-authentication in hudson (which we need in our setup to give permissions to ldap-groups for jobs) there is only form-based authentication (at least i cant find other options...).
Maybe change the type to enhancement (add form based authentication support)? Or are there any ideas for a workaround?
Many thanks, Steve
comment:11 Changed 14 years ago by
| Summary: | 403 Error → Form-based authentication support |
|---|---|
| Type: | defect → enhancement |
Replying to steve:
As mariuszs said when you use ldap-authentication in hudson (which we need in our setup to give permissions to ldap-groups for jobs) there is only form-based authentication (at least i cant find other options...).
Ok, that sucks. Maybe hudson could use an enhancement here.
Maybe change the type to enhancement (add form based authentication support)?
I'm changing the ticket.
If the form doesn't using any sort of form-token (xss protection) and
the login-url is well-known (e.g. can be reliably computed from the
job_url) then is probably easy enough to implement; otherwise it'll
need some html-parsing etc too - yuck. In any case it'll be a few weeks
before I can work on this. Unless somebody else wants to take a stab at
it.
comment:13 Changed 14 years ago by
| Cc: | hetslov@… added |
|---|
comment:14 Changed 14 years ago by
| Cc: | chris@… added |
|---|
comment:15 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
(In [7895]) Added support for hudson's form-based authentication.
This is based on a modified version of the patch submitted to #6332. Instead of requiring the user to configure yet another option, Hudson's 403 response is used to trigger the pre-emptive sending of auth info. This is only very slightly less secure than the config option, and only so in scenarios where the authentication for Hudson was using Digest auth but due to some config change Hudson is now returning a 403 - in this case the plugin will start sending the (essentially cleartext) username and password which could possibly now be snooped.
If had a wrong username/password you'd be seeing 401's; 403 means the user is not allowed to see that URL. The exact URL being retrieved is logged as part of the error - did you try exactly that URL manually? Since you say that it works with unsecured hudson, I'm presuming the job_url is therefore correct; in that case it looks like you've configured hudson to restrict access too much - try playing around with the permissions (I'm presuming you're using matrix-base security?).